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Abstract 


Information fusion includes signals, features, and decision-level analysis over 
various types of data including imagery, text, and cyber security detection. With the 
maturity of data processing, the explosion of big data, and the need for user acceptance; 
the Dynamic Data-Driven Application System (DDDAS) philosophy fosters insights 
into the usability of information systems solutions. In this paper, we explore a notion of 
an adaptive adjustment of secure communication trust analysis that seeks a balance 
between standard static solutions versus dynamic -data driven updates. A use case is 
provided in determining trust for a cyber security scenario exploring comparisons of 
Bayesian versus evidential reasoning for dynamic security detection updates. Using the 
evidential reasoning proportional conflict redistribution (PCR) method, we demonstrate 
improved trust fordynamically changing detections of denial of service attacks. 


1 Introduction 


Information fusion (Blasch, et al., 2012) has a well-documented following of different methods, 
processes, and techniques emerging from control, probability, and communication theories. 
Information fusion systems designs require methods for big data analysis, secure communications, 
and support to end users. Current information fusion systems use probability, estimation, and signal 
processing. Extending theses techniques to operational needs requires an assessment of some of the 
fundamental assumptions such as secure communications over various data, applications, and 
systems. Specifically, the key focus of this paper is based on the question of measuring trust in static 
versus dynamic information fusion systems. 

Static versus dynamic information fusion comes fromthree perspectives such as data, models, and 
processing. As related to information fusion techniques, many studies exist on centralized versus 
distributed processing, single versus multiple models, and stovepipe versus multi-modal data. In each 
case, static information fusion rests in centralized processing from single model estimation over a 
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single source of data. On the other extreme is distributed processing, using multiple-models over 
multi-modal data; which in reality is supposed to cover the entire gamut of big data solutions captured 
in large-scale systems designs. In reality, with such an ambitious goal, there are always fundamental 
assumptions that tailor the system design to the user needs. For example, a system could be designed 
to capture all image data being collected from surveillance sensors; however filtering collections over 
a specific area, for a designated time internal, at a given frequency helps to refine answers to user 
requests. Thus, as a user selects the details of importance, responses should be accessible, complete, 
and trustworthy. 

Dynamic information fusion is a key analysis of the paper of which we focus on trust. Ifa machine 
is processing all the data, then time and usability constraints cannot be satisfied. Thus, either the user 
or the machine must determine the appropriate set of data, models, and processing that is needed fora 
specific application. Trust analysis is required to determine security and reliability constraints, and 
DDDAS provides a fresh look at the balance between static and dynamic information fusion. In this 
paper, we explore the notions of dynamic information fusion towards decision making as cyber 
detections change. 

In Section 2 we overview information fusion and DDDAS. Section 3 discusses the notions of trust 
as a means to balance between information fusion and dynamic data detections. Section 4 compares 
Bayesian versus evidential reasoning. Section 5 provides a use-case for analysis for cyber trust and 
Section 6 provides conclusions.. 


2 Information Fusion and DDDAS 


Information fusion and DDDAS overlap in many areas such as data measurements, statistical 
reasoning, and software development for various applications. Recently, there is an interest in both 
communities to address big data, software structures, and user applications. The intersection of these 
areas includes methods of information management (Blasch, 2006) in assessing trust in data access, 
dynamic processing, and distribution for applications-based end users. 


2.1 Information Fusion 


The Data Fusion Information Group (DFIG) model, shown in Figure 1, provides the various 
attributes of an information fusion systems design. Information fusion concepts are divided between 
Low-level Information Fusion (LLIF) and High-level Information Fusion (HLIF) (Blasch, et al., 
2012). LLIF (LO-1) composes data registration (Level 0 [L0]) and explicit object assessment (L1) 
such as an aircraft location and identity (Yang, 2009). HLIF (L2-6) composes much of the open 
discussions in the last decade. The levels, to denote processing, include situation (L2) and impact (L3) 
assessment with resource (L4), user (L5) (Blasch, 2002), and mission (L6) refinement (Blasch, 2005). 
Here we focus on Level 5 fusion by addressing cybersecurity trust in systems design. 
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Figure 1. DFIG Information Fusion model (L = Information Fusion Level). 


Data access for information fusion requires an information management (IM) model of the enterprise 
architecture, as shown in Figure 2. The IM model illustrates the coordination and flow of data through 


the enterprise with the various layers (Blasch, et al., 2012). 


People or autonomous agents interact with the managed information enterprise environment by 
producing and consuming information. Various actors and their activities/services within an IM 
enterprise surround the IM model that transforms data into information. Within the IM model, there 
are various services that are needed to process the managed information objects (MIOs). Security is 
the first level of interaction between users and data. 

MANAGERS Operating Environmentand Mission Roles 


Control Access and Audit Logs SECURITY Sanitize Cross-Domain Content 


FEDERATES 





Meta Data Standards 


DATA PRODUCTS 
NOMWLAVYOINI 


Log Transactions 
Producers Formats and Standards Consumers 


Figure 2. Information Management (IM) Model. 


A set of service layers are defined that use artifacts to perform specific services. An artifact is a 
piece of information that is acted upon by a service or that influences the behavior of the service (e.g., 
a policy). The service layers defined by the model are: Security, Workflow, Quality of Service (QoS), 
Transformation, Brokerage, and Maintenance. These services are intelligent agents that utilize the 
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information space within the architecture, such as cloud computing and machine analytics. Access to 
the data requires secure communications which is dynamic, data-type driven, and application specific. 


2.2 Dynamic Data Driven Application Systems (DDDAS) 


DDDAS is focused on applications modeling (scenarios), mathematical and statistical algorithms 
(theory), measurement systems, and systems software as shown in Figure 3. Fora systems application, 
user mission needs drive data access over the scenarios. The available data is processed from 
measurements to information using theoretical principles. The data-driven results are presented to the 
user through visualizations; however the trust in the data is compounded by data quality, the model 
fidelity, and systems availability of which software is an integral part toa systems application. 

Information 
Fusion Levels 










Models 
— > 


ii nen ma 


Figure 3. DDDAS Aligned with Information Fusion. 


Using a cyber example for DDDAS, the application is secure data communications to meet 
mission needs (L6). While not a one-to-one mapping, it can be assumed that data management, driven 
by scenarios, identifies cyber threat attacks (L3) such as denial of service attacks. The theory and 
measurements come from the models of normal behavior (L1) which use computational methods to 
support cyber situation awareness (L2) visualization. The user (L5) interacts with the machine through 
data management (L4), as new measurements arrive. Current research seeks distributed, faster, and 
more reliable communication systems to enable such processing and coordination between the man 
and their machines, however, measurement of trust is paramount. 


3 Trust in Information Processing 


Several theories and working models of trust in automation have been proposed. Information 
which is presented for decision-aiding is not uniformly trusted and incorporated into situation 
awareness. Three proposed increasing levels, or ‘stages of trust’, for human -human interactions 
include: Predictability, Dependability, and Faith (Rempel, et al., 1985). Participants progress through 
these stages over time in a relationship. The same was anticipated in human-automation interactions, 
either via training or experience. The main idea is that as trust develops, people will make decisions 
based upon the trust that the system will continue to behave in new situations as it has demonstrated in 
the past. Building upon Rempel’s stages, (Muir & Moray, 1996) postulated that 


Trust = Predictability + Dependability + Faith + Competence + Responsibility + Reliability 


and further defined the construct of Distrust: which (1) can be caused by operator feeling that the 
automation is undependable, unreliable, unpredictable, etc. and a (2) set of dimensions related to 
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automation failures, which may cause distrust in automated systems (location of failure, causes of 
failure or corruption, time patterns of failure). 


Table 1, adapted below from (Muir & Moray, 1996), depicts the quadrant of trust and distrust 
behaviors with respect to good or poor quality of the automation. Basically, the outcome of a wrong 
decision to trust the automation is worse than the outcome of a wrong decision to not trust the 
automation. Hence, security is enforced to not trust a poor decision. 


Operator’s trust & Quality of the automation 
allocation of function ‘Good’ ‘Poor’ 


Trusts and uses the Appropriate Trust (optimize | False Trust (risk automated disaster) 
automation sy stem performance) 





Distrusts and rejects the False Distrust (lose benefits of Appropriate Distrust (optimize 
automation automation, inc. workload) system performance) 
Table 1: Trust, Distrust, and Mistrust, (adapted from Muir and Moray, 1996) 


Trust in the automation clearly impacts a user mental model of secure communications. Therefore, 
dynamic models must be devised to account for different levels of attention, trust, and interactions in 
Human in the Loop (HIL) and Human on the Loop (HOL) designs. A user must be given permission 
to refine the assessment for final decision for validity and reliability of the information presented. 
User Trust issues then are confidence (correct detection), security (impacts), integrity (what you 
know), dependability (timely), reliable (accurate), controllability, familiar (practice and training), and 
consistent (reliable). 

Trust in information processing involves many issues; however, here we focus on the development 
ofa cyber domain trust stack as shown in Figure 4. The trust stack composes policies, trust authority, 
collecting raw metrics and behavior analysis, leading to authentication and authorization, and then 
secure communications. Similar to the information management model, polices are important to 
determine whether data access is available. Likewise, sensor management gets access to raw metrics 
(Blasch, 2004) that need to be analyzed for situation awareness. The problemnot being full addressed 
is the impeding results for secure communications. In what follows, we discuss the main functions to 
be provided by each layer in the trust stack shown in Figure 4. 


Polices Enforcement 
Domain Trust Enforcement 


Collect Raw Behavior Analysis 
_ Measurements uation Awareness) 
Authentication and Authorization 


Secure Communication 


Figure 4. Trust Stack. 




















3.1 Secure Communications, Authentication, and Authorization 


Secure communications is an important property to guarantee the confidentiality and integrity of 
the messages used to evaluate trust in the system. Certificates are used to verify the identify of 
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communicating end-devices (Kaliski, 1993). The communication channel is encrypted using DES 
(Data Encryption Standard, 2010) in CFB64 (Cipher Feedback) mode. In this CFB mode, the first 8 
bytes ofthe key generated used to encrypt the first block of data. This encrypted data is then used as a 
key for the second block. This process is repeated until the last block is encrypted. The DES is still 
used in legacy virtual private networks (VPNs) and could benefit froma DDDAS trust analysis even 
used with multiple protocolauthentication systems such as Kerberos. 

Multiple protocols have been developed over the years for password-based authentication, 
biometric authentication, and remote user authentication. In order to evaluate the trust of different 
entities with many users, multiple systems, and multiple domains, we assume the use of remote user 
authentication. Remote Authentication Dial-In User Service (RADIUS) (Willens, et al, 2000) is a 
famous client/server protocol to allow remote entities to communicate with a server to authenticate 
remote users. RADIUS gives organization ability to maintain user profiles in a specific database that 
the remote servers share. 

The Domain Trust Enforcement (DTE) agent performs the authorization process for the end -to- 
end adaptive trust. Based on the results of the authentication process and the received trust level, the 
DTE agent grants or denies authorization to access the resources, ie., allow or deny the 
communication between the different entities. 


3.2 Collecting Raw Measurements 


Much software, both commercial and open source, are available and provide important health and 
security information, such as Nagios (Nass, 2009). This information can be used to extract metrics 
that can be used to evaluate the trust of different entities. These metrics can be divided into multiple 
categories based on their source: User, Application, Machine, Connection, or Security Software 
Alerts. In order to evaluate the trust, the metrics need to be quantified and normalized (e.g., between 0 
and 1) to a common scale. Table 2 shows a set of measured metrics and their quantification function 
and Figure 5 shows these categories with some example metrics. 


0, oS ot Length<8 
U P d St th Password Length 
a POLTI 0.1 + 0.9 o E O L Otherwise 
Maximum Password Length ’ 
, # Of D 


User Days since last password change | Q = Otherwise 


~ Maximum Numb er of Days 


Nuanben of authentication. 0, #failures>Maximum Number Of Allowed Failures 


User Q= #failures f 
1- CCCL, Otherwise 
Maximum Number Of Allowed Failures ” 


0, #Lock Outs>Maximum Number Of Allowed Lock Outs 
User Lock Outs #Lock Outs f 
-La Na Otherwise 
_ Maximum Number Of Allowed Lock Outs ’ 


failures 


1, Global Adminstrator 
Cala wonamitae 
0, No Administrator 
N 


# Hops>Maximum Number Of Hops 
Connection | Number of hops = #Hops 
Maximum Number of Hops 


0, #Discarded Packet>Maximum #Discarded Packet 
Connection | Number of discarded Packets #Discarded Packet 
1- Maximus Discarded Dake” Otherwise 
Maximum #Discarded Packet 
fo Up to ie 
Machine Firmware version = fo 5, 1 Version Behind 
0, Otherwise 


, Otherwise 
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, No Shared Folders 
0, Shared System Folders 
1, No Probelm 
0, Problem in system integri 


1, No Alert 

0.5, Virus Foundin a document 
0.25, Virus Found in an executable 
0, worm found 





Table 2: Examples of metric quantification 


3.3 Behavior Analysis 


Behavior analysis techniques apply statistical and data mining techniques to determine the current 
operating zone of the execution environment (situation awareness) and also project its behavior in the 
near future. The operating point (OP) of an environment can be defined as a point in an n-dimensional 
space with respect to well-defined attributes. An acceptable operating zone can be defined by 
combining the normal operating values for each attribute. At runtime, the operating point moves from 
one zone to another and that point might move to a zone where the environment does not meet its trust 
and security requirements. We use these movements in the OP to adjust the trust value of the current 
environment as will be discussed in further detail in the Domain Trust Authority section. By 
continuously performing behavior analysis of the environment, we can then proactively predict and 
detect the anomalous behaviors that might have been caused by malicious attacks. Furthermore, once 
it is determined that the environment’s operating point is moving outside the normal zone, it will 
adopt its trust value and then determine the appropriate proactive management techniques that can 
bring back the environment situation to a normal operating zone. 

Location 
User Has Password 


Firmwares Version 
Password Strength 


OS Version 
Days Since Last Password Change 
Services Versions 
Passed Time Since Last Login 
OS/Firmware/Services User 


are updated or no Number Of Authentication Failures 


Available Disk Space Successful Logins and Logouts 


Shared Folders Werte Incorrect Logins 
Modification or Addition Lock outs 
of Administrator Accounts 


Has Digital Signature or Not 
Change in Audit Policies 
Developer Reputation 


Guest Account Enabled or Not 
Who manage the software 

Security Softwares Application 
installed and Enabled Who installed it 

Attached interfacing Devices Updated or not 

Antivirus Previously Performed Memory Violation or Not 
Data Execution Prevention (DEP) Number of Hops 
Behavior Analysis Security Software Alerts Connection Location of the Peer 


Firewall 


Vulnerability Analysis 


Figure 5. Trust Metrics. 


Number of Discarded 
or Error Packets 
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3.4 Domain Trust Authority 


DTA evaluates the end-to-end trust over secure communications. It defines a tuple (machine, 
application, user, data) to be an entity and all communications among entities has a certain context. 
Thus authentication is conducted per entity. Every entity has a trust level associated with it. In order 
to measure the trust, trust’s metrics are introduced, and they take values between 0 and 1. Where 0 
represents the distrust and | represent the blind or full trust. The trust measurements for all entities are 
stored in an entity call Trust Authority. The NIST standard SP 800-53 (NIST, 2010) is used and it 
defines four levels of trust: 


High Tassi 
trust Value | o0 | os | oe | 100 | 


Initially, a risk and impact analysis is performed to quantify the impact of each component on the 
overall operations of the network. Common Vulnerabilities and Exposures (CVE) and Common 
Vulnerability Scoring System (CVSS) are used to evaluate the initial impact for both software and the 
environment, and reputations of the users are used to assign their initial impacts. Based on the initial 
impact analysis, the initial trust values for each entity is determined. The risk and impact analysis 
performed is in consistence with the NIST “Recommended Security Controls for Federal Information 
Systems and Organizations” report. According to the NIST report, risk measures the extent to which 
entities are threatened by circumstances or events. The risk is a function of impact and its probability 
ofoccurrence. Risks arise from the loss of confidentiality, integrity, and/or availability of information 
and resources. Thus the initial trust T can be viewed as an inverse function ofthe risk R: 


T=1/R (1) 
Where the risk of an entity 7 is a function of the impact imp: 


R; = imp; (confidentiality) @ Pr imp ; (confidentiality) + 
imp i (integrity) e Pr imp ; (integrity) + imp; (availability) e Pr imp ; (availability) (2) 


When a new entity is added, it has to register with the Mutual Authentication (MA) module and 
then its initial trust value can be quantified according to Equations 1 and 2. 


Verify Trust 

When an entity communicates with another entity, an Autonomic Trust Management (ATM) agent 
obtains the trust level of the entity that needs to interact with from the Trust Authority (TA), see 
Figure 6. Ifthe trust level of the remote entity is below the minimum required trust level set in the 
policies, then the communication is dropped. By continuously checking with TA module, any 
interacting entities will not be able to communicate if they do not meet the end-to-end trust policies. 
Once the component trust level is verified, they can proceed and interact securely using the secure 
communications. 
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Mutual 
Authentication 


Trust 
Authority 


a 


End-to-End Communication 
Figure 6. Adaptive End-to-End Trust 


Adaptive Trust 

The trust value assigned to each component is not static and is updated continuously. The Trust 
Authority module is the one responsible for re-evaluating the trust at runtime. As mentioned in the 
previous section, the trust is measured per entity and the trust levels are between 0 and 1. 


T(E) e [0, 1] (3) 


Each interaction between entities is governed by a context C. Thus, trust level for entities is 
computed per context: 


T(E, C) € [0, 1] (4) 


A Forgiveness Factor, F, is assigned to provide an adaptive mechanis m for compromised entities 
to start gaining trust after all existing vulnerabilities have been fixed. Based on the impact of the entity 
on the overall operations, we can control the time it takes for that entity to recover its trust level. 
Monitoring, measuring, and quantifying trust metrics are required, and they are performed by the 
ATM. M; will denote the collected trust metric, where i is the metric identifier. The function m,() is a 
quantifying function that returns a measurement between 0 and 1 for the metric M;. 

The overall trust for an entity is computed using two types of trust: 1) self-measured trust and 2) 
reputation-measured trust. The self-measured trust 7, is the trust that is evaluated based on the 
measurement performed by the ATM agent that manages the entity. While the reputation -measured 
trust, T, is based on the trust metrics collected from peers based on a previous recent interaction with 
the entity for which the trust is being re-evaluated. The T, and T, are given by following equations: 


Ts(E,C) = T(ATM,;, C): 2 Ji (C) + m (Mi) 
i=] 
K L 
TrE,C)=— È TUM,C) Ý AO- mM) 6) 
j=l 


i=l 
The values of the metric weight J; for metric i is determined based on the feature selection 
technique, where: 
L 


(C) =1 (6) 


i=] 
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Based on the context and the type of operations, the end-to-end trust is evaluated using three trust 
evaluation strategies: Optimistic, Pessimistic, and Average. The end-to-end trust for each strategy can 
be evaluated as follows: 


Trust Confidence Trust Evaluation Strateg 
T(E, C)= max {Ts (E, ©), Tp (E, ©) 


T(E, C)= ave {Ts (E, ©), Tr (E, O} 
T(E, C)= min {Ts E, ©), Tp E, ©} 





Once 7(E,C) is computed, then it is mapped to the nearest of trust level: (High, Moderate, Low, 
and None). 

The Trust Authority module continuously evaluates the trust for all components and their entities 
whenever new metrics are obtained from the ATM agents that require an update to entity trust 
evaluation above depending on the trust evaluation strategy. Various reasoning evaluation strategies 
exist, such as that of Bayesian, Evidential Reasoning, and Belief Functions (Blasch, et al, 2013), that 
can be used to evaluate trust. 

In a DDDAS cyber environment, there are many levels of information fusion, but to build a 
trustworthy DDDAS environment, we need to check the trust of each level of information fusion. The 
Domain Trust Authority is the place to verify the trust of each entity passing information within the 
DDDAS environment. When the trust level drops below certain threshold; the incoming data can be 
dropped to enable secure communications. What follows are the DDDAS theory, simulations, 
measurements, and software analysis for Information fusion levels of cyber data, situation/behavior 
assessment, information management, and userrefinement. 


3.5 Bayes versus Evidential Reasoning 


A fundamental technique for data fusion is Bayes Rule. Recently, (Dezert, et al., 2012) has shown 
that Dempster’s rule is consistent with probability calculus and Bayesian reasoning if and only if the 
prior P(X) is uniform. However, when the P(X) is not uniform, then Dempster’s rule gives a different 
result. Both (Yen, 1986) and (Mahler, 1996) developed methods to account for non-uniform priors. 
Others have also tried to compare Bayes and evidential reasoning (ER) methods (Mahler, 2005, 
Blasch, et al., 2013). Assuming that we have multiple measurements Z = {Z,, Z2, ..., Zn} for cyber 
detection D being monitored, Bayesian and ER methods are developed next. 


3.6 Relating Bayes to Evidential Reasoning 


Assuming conditional independence, one has the Bayes method: 


PX | Z1) P(X | Zz) / P(X) 
N 
ÈD PA; |Z) PA |Z) / PX) 


i=l 


P(X|Z, N Z) = (7) 


With no information from Z; or Z, then P(X | Z|, Z2) = P(X). Without 2, then P(X | Zi, Z)) = P(X | 
Zı) and without Z;, then P(X | Z1, Z2) = P(X | Z2). Using Dezert’s formulation, then the denominator 
can be expressed as a normalization coefficient: 


Miho) = 1- È PÆ |Z) PA |Z) (8) 
Xi; Ry) XiNXj 
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Using this relation, then the total probability mass of the conflicting information is 


PEIZ N Zs) = = # PIX Zi) PEIZ) ) 


— m2 (©) 


which corresponds to Dempster’s rule of combination using Bayesian belief masses with uniform 
priors. When the prior’s are not uniform, then Dempster’s rule is not consistent with Bayes’ Rule. For 
example, let mo (X) = P(X), m (X) = P(X | Z,), and m (X) = P(X | 22), then 


P P(X |Z) P(X |Z 
noč X) m D mX _ wW PIZ) P2) (10) 
1- m (Ø) N 
È PR) PÆ |Z) PÆ |Z) 
i=l 
Thus, methods are needed to deal with non-uniform priors and appropriately redistribute the 
conflicting masses. 


3.7 Proportional Conflict Redistribution 


Recent advances in DS methods include Dezert-Smarandache Theory (DSmT). DSmT is an 
extension to the Dempster-Shafer method of evidential reasoning which has been detailed in 
numerous papers and texts: Advances and applications of DSmT for information fusion (Collected 
works), Vols. 1-3 (Dezert, et al., 2009). In (Dezert, et al., 2002) introduced the methods for the 
reasoning and in presented the hyper power-set notation for DSmT (Dezert, et al., 2003). Recent 
applications include the DSmT Proportional Conflict Redistribution rule 5 (PCR5) applied to target 
tracking (Blasch, 2013). 

The key contributions of DSmT are the redistributions of masses such that no refinement of the 
frame © is possible unless a series of constraints are known. For example, Shafer’s model (Shafer, 
1976) is the most constrained DSm hybrid model in DSmT. Since Shafer’s model, authors have 
continued to refine the method to more precisely address the combination of conflicting beliefs 
(Josang, et al., 2006) and generalization of the combination rules (Smaradache, et al., 2005, Daniel, 
2006). An adaptive combination rule (Florea, et al., 2006) and rules for quantitative and qualitative 
combinations (Martin, 2008) have been proposed. Recent examples for sensor applications include 
electronic support measures, (Djiknavorian, et al., 2010), physiological monitoring sensors (Lee, et al., 
2010), and seismic-acoustic sensing (Blasch, et al., 2011). 

Here we use the Proportional Conflict Redistribution rule no. 5 (PCRS). We replace Smets’ rule 
(Smets, 2005) by the more effective PCRS to cyber detection probabilities. All details, justifications 
with examples on PCRn fusion rules and DSm transformations can be found in the DSmT compiled 
texts (Dezert, et al., 2009 Vols. 2 & 3). A comparison of the methods is shown in Figure 7. 


* Note: PCR used here is from information fusion technology and not the a Platform Configuration Register (PCR) of the 
Trusted Platform Module (TPM) hardware technology. 
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Evidential Reasoning 


DSmT Dempster Bayes 


Decision Level 









Conflict i. 
Assessment Proportional Conflict 
(PCR5) Redistribution 


Integrity Level 


Integrity Constraints 
onp 


Set Assessment 
(DSmc) 








ai(*) = G(®) 


m,(*)..m,(*) 
Qualitative bba itati 


Sources Level Quantitative bba 





Z,(#) .--Z(*) 
Conditional Probabilities 





Subjective Objective 
Figure 7. Comparison of Bayesian, Dempster-Shafer, and PCR5 Fusion Theories 


In the DSmT framework, the PCRS is used generally to combine the basic belief assignment 
(bba)’s. PCRS transfers the conflicting mass only to the elements involved in the conflict and 
proportionally to their individual masses, so that the specificity of the information is entirely 
preserved in this fusion process. Let mı(.) and m(.) be two independent bba’s, then the PCRS rule is 
defined as follows (see Dezert, et al., 2009, Vol. 2 for full justification and examples): mpcrs(@) = 0 
and VX e 2° \ {Ø}, where Ø is the null set and 2° is the power set: 


_ mı (X1)? mX) mı (X1) mX)? 
mpcrs (X) = >, m (Xi) + mX) + z a n + nm | (11) 


© 
X1; X2 €2 X2 €2 
XıNX=X X NX=Ø 


where f is the interesting and all denominators in the equation above are different from zero. If a 
denominator is zero, that fraction is discarded. Additional properties and extensions of PCRS for 
combining qualitative bba’s can be found in (Dezert, 2009, Vol. 2 & 3) with examples and results. All 
propositions/sets are in a canonical form. 


3.8 Example of DDDAS Cyber Trust Analysis 


In this example, we assume that policies are accepted and that the trust stack must determine 
whether the dynamic data is trustworthy. The application system collects raw measurements on the 
data intrusion (such as denial of service attacks) and situation awareness is needed. Conventional 
information fusion processing would include Bayesian analysis to determine the state of the attack. 
However, here we use the PCRS rule which distributes the conflicting information over the partial 
states. Figure 8 shows the results for a normal system being attacked and the different methods 
(Bayes, DS, and PCRS) to access the dynamic attack. Trust is then determined with percent 
improvement in analysis. Since the cyber classification of attack versus no attack is not consistent, 
there is some conflict in the processing of the measurement data going from an measurements of 
attack and vice versa. The constant changing of measurements requires acknowledgment of the 
change and data conflict as measured using the PCR5 method. 
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Figure 8. Results of Bayesian, Dempster-Shafer, and PCRS Fusion Theories for trust. 


The improvement of PCRS over Bayes is shown in Figure 8 and compared with the modest 
improvement from DS. The average performance improvement of PCRS is 46% and DS is 2%, which 
is data and application dependent. When comparing the results, it can be seen that when a system 
goes from a normal to an attack state, PCRS responds quicker in analyzing the attack, resulting in 
maintaining trust in the decision. Such issues of data reliability, statistical credibility, and application 
survivability all contribute to the presentation of information to an application-based user. While the 
analysis is based on behavioral situation awareness, it is understood that polices and secure 
communications can leverage this information for domain trust analysis and authentication and 
authorization that can map measurements to software requirements. 


3.9 Policies Enforcement 


Policies are an important component of cyber trust (Blasch, 2012) as shown in Figure 9. As an 
example, a policy is administered for retrieval of information. Policy information determines the 
attributes for decisions. Determining the decision leads to enforcement. Such a decision is based on 
trust processing from which effective enforcement can support secure communications. 
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Figure 9. Policy-Based Fusion of Information requiring Trust (Blasch, 2012) 


There are many possible information fusion strategies to enable data access from policies. Here we 
demonstrate an analysis of Bayesian versus evidential reasoning for determining cyber situation 
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awareness trust. Future work includes threat intent (Shen, et al., 2009), impact assessment (Shen, et 
al., 2007), transition behaviors (Du, et al., 2011) and developing advanced forensics analysis (Yu, et 
al., 2013). 


4 Conclusions 


Information fusion (IF) and Dynamic Data-Driven Application Systems (DDDAS) are emerging 
techniques to deal with big data, multiple models, and decision making. One topic of interest to both 
fields of study is a measure of trust. In this paper, we explored a system for cyber security fusion 
which addresses system-level application issues of model building, data analysis, and polices for 
application trust. IF and data-driven applications utilize a common framework of probability analysis 
and here we explored a novel technique of PCRS that builds on Bayesian and Dempster-Shafer theory 
to determine trust. Future research would include real world data, complete analysis of the trust stack, 
and sensitivity of models/measurements in secure cyber situation awareness trust analysis. 
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